> -----Original Message----- > From: Assaf Muller [mailto:as...@redhat.com] > Sent: Monday, August 15, 2016 2:50 PM > To: OpenStack Development Mailing List (not for usage questions) > <openstack-dev@lists.openstack.org> > Cc: Mooney, Sean K <sean.k.moo...@intel.com> > Subject: Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack > security group driver with ovs-dpdk > > + Jakub. > > On Wed, Aug 10, 2016 at 9:54 AM, > <kostiantyn.volenbovs...@swisscom.com> wrote: > > Hi, > >> [Mooney, Sean K] > >> In ovs 2.5 only linux kernel conntrack was supported assuming you > had > >> a 4.x kernel that supported it. that means that the feature was not > >> available on bsd,windows or with dpdk. > > Yup, I also thought about something like that. > > I think I was at-least-slightly misguided by > > http://docs.openstack.org/draft/networking-guide/adv-config- > ovsfwdrive > > r.html > > and there is currently a statement > > "The native OVS firewall implementation requires kernel and user > space support for conntrack, thus requiring minimum versions of the > Linux kernel and Open vSwitch. All cases require Open vSwitch version > 2.5 or newer." > > I agree, that statement is misleading. [Mooney, Sean K] the 2.6 branch now exists so it is probably ok to refer to 2.6 now. https://github.com/openvswitch/ovs/commits/branch-2.6 The release should be made ~ September 15th https://github.com/openvswitch/ovs/blob/797dad21566fecc60de3ce6f93c81ad55a61fe86/Documentation/release-process.md#release-scheduling which will be before then next openstack release. if you would like I can update the networking guide to refect the change in ovs.
> > > > > Do you agree that this is something to change? I think it is not OK > to state OVS 2.6 without that being released, but in case I am not > confusing then: > > -OVS firewall driver with OVS that uses kernel datapath requires OVS > > 2.5 and Linux kernel 4.3 -OVS firewall driver with OVS that uses > > userspace datapath with DPDK (aka ovs-dpdk aka DPDK vhost-user aka > netdev datapath) doesn't have a Linux kernel prerequisite That is > documented in table in " ### Q: Are all features available with all > datapaths?": > > http://openvswitch.org/support/dist-docs/FAQ.md.txt > > where currently 'Connection tracking' row says 'NO' for 'Userspace' - > > but that's exactly what has been merged recently /to become feature > of > > OVS 2.6 > > > > Also when it comes to performance I came across > > http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I > would guess that devil could be the exact flows/ct actions that will be > present in real-life scenario. > > > > > > BR, > > Konstantin > > > > > >> -----Original Message----- > >> From: Mooney, Sean K [mailto:sean.k.moo...@intel.com] > >> Sent: Tuesday, August 09, 2016 2:29 PM > >> To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC > >> <kostiantyn.volenbovs...@swisscom.com>; openstack- > >> d...@lists.openstack.org > >> Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] > conntrack > >> security group driver with ovs-dpdk > >> > >> > >> > -----Original Message----- > >> > From: kostiantyn.volenbovs...@swisscom.com > >> > [mailto:kostiantyn.volenbovs...@swisscom.com] > >> > Sent: Tuesday, August 9, 2016 12:58 PM > >> > To: openstack-dev@lists.openstack.org; Mooney, Sean K > >> > <sean.k.moo...@intel.com> > >> > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] > >> > conntrack security group driver with ovs-dpdk > >> > > >> > Hi, > >> > (sorry for using incorrect threading) > >> > > >> > > > About 2 weeks ago I did some light testing with the conntrack > >> > > > security group driver and the newly > >> > > > > >> > > > Merged upserspace conntrack support in ovs. > >> > > > > >> > By 'recently' - whether you mean patch v4 > >> > http://openvswitch.org/pipermail/dev/2016-June/072700.html > >> > or you used OVS 2.5 itself (which I think includes v2 of the same > >> > patch series)? > >> [Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016- > >> June/072700.html or specifically i used the following commit > >> > https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c > >> 3 > >> 6e8a6e846669 > >> which is just after userspace conntrack was merged, > >> > > >> > So in general - I am a bit confused about conntrack support in > OVS. > >> > > >> > OVS 2.5 release notes > >> > http://openvswitch.org/pipermail/announce/2016- > >> > February/000081.html state: > >> > "This release includes the highly anticipated support for > >> > connection tracking in the Linux kernel. This feature makes it > >> > possible to implement stateful firewalls and will be the basis for > >> > future stateful features such as NAT and load-balancing. Work is > >> > underway to bring connection tracking to the userspace datapath > >> > (used by DPDK) and the port to Hyper-V." - in the way that 'work > >> > is underway' (=work is > >> > ongoing) means that a time of OVS 2.5 release the feature was not > >> > 'classified' as ready? > >> [Mooney, Sean K] > >> In ovs 2.5 only linux kernel conntrack was supported assuming you > had > >> a 4.x kernel that supported it. that means that the feature was not > >> available on bsd,windows or with dpdk. > >> > >> In the upcoming ovs 2.6 release conntrack support has been added to > >> the Netdev datapath which is used with dpdk and on bsd. As far as I > >> am aware windows conntrack support is still Missing but I may be > wrong. > >> > >> If you are interested the devstack local.conf I used to test that it > >> functioned is available here http://paste.openstack.org/show/552434/ > >> > >> I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces > >> to do the testing. > >> > >> > >> > > >> > > >> > BR, > >> > Konstantin > >> > > >> > > >> > > >> > > On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K > >> > <sean.k.moo...@intel.com> > >> > > wrote: > >> > > > Hi just a quick fyi, > >> > > > > >> > > > About 2 weeks ago I did some light testing with the conntrack > >> > security > >> > > > group driver and the newly > >> > > > > >> > > > Merged upserspace conntrack support in ovs. > >> > > > > >> > > > > >> > > > > >> > > > I can confirm that at least form my initial smoke tests where > I > >> > > > > >> > > > Uses netcat ping and ssh to try and establish connections > >> > > > between > >> > two > >> > > > vms the > >> > > > > >> > > > Conntrack security group driver appears to function correctly > >> > > > with > >> > the > >> > > > userspace connection tracker. > >> > > > > >> > > > > >> > > > > >> > > > We have not looked at any of the performance yet but assuming > >> > > > it is > >> > at > >> > > > an acceptable level I am planning to > >> > > > > >> > > > Deprecate the learn action based driver in networking-ovs-dpdk > >> > > > and remove it once we have cut the stable newton > >> > > > > >> > > > Branch. > >> > > > > >> > > > > >> > > > > >> > > > We hope to do some rfc 2544 throughput testing to evaluate the > >> > > > performance sometime mid-September. > >> > > > > >> > > > Assuming all goes well I plan on enabling the conntrack based > >> > security > >> > > > group driver by default when the > >> > > > > >> > > > Networking-ovs-dpdk devstack plugin is loaded. We will also > >> > evaluate > >> > > > enabling the security group tests > >> > > > > >> > > > In our third party ci to ensure it continues to function > >> > > > correctly with ovs-dpdk. > >> > > > > >> > > > > >> > > > > >> > > > Regards > >> > > > > >> > > > Seán > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > >> _________________________________________________________________ > >> > > _____ > >> > > > ____ OpenStack Development Mailing List (not for usage > >> > > > questions) > >> > > > Unsubscribe: > >> > > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > >> > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack- > d > >> > > > ev > >> > > > > >> > > > >> > > > >> _________________________________________________________________ > >> > > _________ > >> > > OpenStack Development Mailing List (not for usage questions) > >> > > Unsubscribe: OpenStack-dev- > >> > requ...@lists.openstack.org?subject:unsubscribe > >> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack- > dev > > > ______________________________________________________________________ > > ____ OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
